No doubt your organisation has been delivering a significant amount of GDPR training over the past couple of years, but has it worked? Your GDPR training should deliver front-line impact helping your staff to protect your organisation against data breaches and to protect the rights of individuals. However, a recent personal experience suggests this might not always be the case.
It’s my data…
Have you ever tried to make a Subject Access Request? Last month I found myself having so many service issues with my broadband provider that I felt I needed to see the records containing my personal data. It was quite an eye-opening experience.
After a particularly frustrating call (one of many) with my service provider I told the customer service adviser that I wanted to make a subject access request.
She told me she didn’t know what that was.
I explained that the GDPR gives individuals a right of access to their personal data.
She told me she didn’t know anything about GDPR or data privacy and that she had never had any training… but she would speak to her manager.
I subsequently got an e-mail telling me that, having spoken to her manager, she could inform me that I had to send my request in writing, by post, to the Data Protection Manager who would then help me with my request.
What went wrong?
This organisation is a major player in a sector that handles huge volumes of customers’ personal data. I think it’s highly unlikely that they are simply unaware of GDPR. I’m pretty sure they will have amended their processes and I’m also sure they will have trained their staff – especially their frontline call centre staff who deal with customers, and their personal data, on a daily basis. So, what went wrong?
Put simply, it looks like their training didn’t work and that they have failed to transfer new process changes effectively into day-to-day operations. The customer service assistant I spoke to did do the right thing by saying that she didn’t know and then seeking advice from her manager. Unfortunately, her managers had clearly not been equipped with the necessary knowledge or resources to help their team members.
How can we fix it?
If you manage data privacy risk for your organisation you have probably undertaken some form of training, but do you know if it worked? I would strongly recommend mystery shopping your business for key customer facing privacy issues such as subject access requests and the right to be forgotten. You will quickly get a sense of how effective your training has been.
If you do uncover any concerns it’s possibly because your training simply wasn’t memorable enough. Research tells us that as soon as learning events end, forgetting begins.
In learning and development circles this is known as Ebbinghaus’s forgetting curve and it looks like this:
The curve shows how information is lost over time when there is no attempt to retain it. The longer we go without repeating key messages, the more forgetting will happen. If your data privacy training is an annual, or even less frequent event, then don’t be surprised if people remember very little by the time the next training happens. The risk in the intervening period is clear – if you want people to remember your training then you need to regularly repeat key messages over time.
It turns out that, at least as far as learning is concerned, little and often is the best approach.
The spacing effect is one of the oldest and best documented phenomena in the history of learning and memory research.
Harry Bahrick & Lynda Hall (2005, page 566), Journal of Memory and Language
Good training is, of course, vital to helping employees understand data privacy risk, but are you helping people transfer their learning to the workplace in practical ways? As Atul Gawande writes in The Checklist Manifesto:
The volume and complexity of what we know has exceeded our individual ability to deliver its benefits correctly, safely, or reliably. Knowledge has both saved us and burdened us
Supporting on-job performance with simple tools to help employees manage risk ‘in the moment’ can deliver tangible benefits. Consider building simple job aids, checklists and other tools that are easy to access and easy to understand and use. Checklists have been shown to positively impact the performance of surgeons and airline pilots in performing complex processes so it’s likely they can help to support performance in other sectors by protecting against failure and establishing a higher standard of baseline performance.
Finally, as my subject access example shows, line managers are an important source of support, advice and information for their teams. Are you equipping line managers with the tools and knowledge that they need to help their teams stay compliant?
How to remember GDPR
So, here are four things you can do to help your employees remember what they need to know about GDPR: